Bug Description

When you consume a trust in a v2 token you must provide the project id as part of your auth. This is a bug and should be reported after this.

If the trustee requests a trust scoped token to a project different to the one the trust is created for AND the trustor has the required roles in the other project then the token will be provided with those roles on the other project.

Description:
Jamie Lennox from Red Hat reported a vulnerability in Keystone trusts. By using an out of scope project id, a trustee may gain unauthorized access to another project if the trustor has the required roles to the other project. All Keystone deployments configured to enable trusts and V2 API are affected.

Description:
Jamie Lennox from Red Hat reported a vulnerability in Keystone trusts. By using an out of scope project id, a trustee may gain unauthorized access if the trustor has the required roles in the requested project id. All Keystone deployments configured to enable trusts and V2 API are affected.

@Jamie Lennox, well it's not mandatory at all :) We prefer having someone from keystone-coresec to push patch in case of un-expected failures, but hopefully it's just a mater of applying patch and hitting git-review.

Thanks Dolph for taking care of that. The disclosure date have been set to:
2014-07-02, 1500UTC